CVE-2023-42326
published 2023-11-14CVE-2023-42326: An issue in Netgate pfSense v.2.7.0 allows a remote attacker to execute arbitrary code via a crafted request to the interfaces_gif_edit.php and…
PriorityP272high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
64.02%
99.1th percentile
An issue in Netgate pfSense v.2.7.0 allows a remote attacker to execute arbitrary code via a crafted request to the interfaces_gif_edit.php and interfaces_gre_edit.php components.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| netgate | pfsense | <= 2.7.0 | — |
| netgate | pfsense_plus | <= 23.05.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS pfSense CE 2.7.0 gfif Parameter Remote Code Execution Attempt (CVE-2023-42326) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/interfaces_gif_edit.php"; fast_pattern; http.request_body; content:"__csrf_magic|3d|"; startswith; content:"gifif|3d|"; content:"|3b|"; within:50; reference:url,www.sonarsource.com/blog/pfsense-vulnerabilities-sonarcloud/; reference:cve,2023-42326; classtype:attempted-admin; sid:2049664; rev:2; metadata:attack_target Networking_Equipment, created_at 2023_12_12, cve CVE_2023_42326, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_03_08, reviewed_at 2024_10_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS pfSense CE 2.7.0 gfif Parameter Remote Code Execution Attempt (CVE-2023-42326) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/interfaces_gre_edit.php"; fast_pattern; http.request_body; content:"__csrf_magic|3d|"; startswith; content:"greif|3d|"; content:"|3b|"; within:50; reference:url,www.sonarsource.com/blog/pfsense-vulnerabilities-sonarcloud/; reference:cve,2023-42326; classtype:attempted-admin; sid:2049665; rev:2; metadata:attack_target Networking_Equipment, created_at 2023_12_12, cve CVE_2023_42326, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_03_08, reviewed_at 2024_10_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit traffic is an HTTP POST to /interfaces_gif_edit.php; the request body starts with '__csrf_magic=' and contains 'gifif=' followed by a semicolon (|3b|) within 50 bytes — the semicolon is the command-injection delimiter injected into the gifif parameter. ↗
- →Exploit traffic is an HTTP POST to /interfaces_gre_edit.php; the request body starts with '__csrf_magic=' and contains 'greif=' followed by a semicolon (|3b|) within 50 bytes — the semicolon is the command-injection delimiter injected into the greif parameter. ↗
- ·Exploitation requires the attacker to already hold (or steal via XSS) an account with interface-editing permissions; unauthenticated direct exploitation is not possible without first chaining an XSS flaw. ↗
- ·Snort/ET rules are tuned for perimeter, internal, and SSL-decrypting deployments; without SSL inspection, POST bodies to HTTPS-exposed pfSense instances will not be inspectable and the rules will not fire. ↗
- ·Affected versions are pfSense CE ≤ 2.7.0 and pfSense Plus ≤ 23.05.01; patched versions are pfSense Plus 23.09 (released Nov 6 2023) and pfSense CE 2.7.1 (released Nov 16 2023). ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS pfSense CE 2.7.0 gfif Parameter Remote Code Execution Attempt (CVE-2023-42326) M1
suricata·2023-12-12·CVSS 8.8
CVE-2023-42326 [HIGH] ET WEB_SPECIFIC_APPS pfSense CE 2.7.0 gfif Parameter Remote Code Execution Attempt (CVE-2023-42326) M1
ET WEB_SPECIFIC_APPS pfSense CE 2.7.0 gfif Parameter Remote Code Execution Attempt (CVE-2023-42326) M1
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS pfSense CE 2.7.0 gfif Parameter Remote Code Execution Attempt (CVE-2023-42326) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/interfaces_gif_edit.php"; fast_pattern; http.request_body; content:"__csrf_magic|3d|"; startswith; content:"gifif|3d|"; content:"|3b|"; within:50; reference:url,www.sonarsource.com/blog/pfsense-vulnerabilities-sonarcloud/; reference:cve,2023-42326; classtype:attempted-admin; sid:2049664; rev:2; metadata:attack_target Networking_Equipment, created_at 2023_12_12, cve CVE_2023_42326, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impa
Suricata
ET WEB_SPECIFIC_APPS pfSense CE 2.7.0 gfif Parameter Remote Code Execution Attempt (CVE-2023-42326) M2
suricata·2023-12-12·CVSS 8.8
CVE-2023-42326 [HIGH] ET WEB_SPECIFIC_APPS pfSense CE 2.7.0 gfif Parameter Remote Code Execution Attempt (CVE-2023-42326) M2
ET WEB_SPECIFIC_APPS pfSense CE 2.7.0 gfif Parameter Remote Code Execution Attempt (CVE-2023-42326) M2
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS pfSense CE 2.7.0 gfif Parameter Remote Code Execution Attempt (CVE-2023-42326) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/interfaces_gre_edit.php"; fast_pattern; http.request_body; content:"__csrf_magic|3d|"; startswith; content:"greif|3d|"; content:"|3b|"; within:50; reference:url,www.sonarsource.com/blog/pfsense-vulnerabilities-sonarcloud/; reference:cve,2023-42326; classtype:attempted-admin; sid:2049665; rev:2; metadata:attack_target Networking_Equipment, created_at 2023_12_12, cve CVE_2023_42326, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impa
No public exploits indexed.
2023-11-14
Published